4.4 Given an Incident, apply mitigation techniques or controls to secure an environment Flashcards
Reconfigure Endpoint Security Solutions
When technologies change or we suffer a data breach, we might have to reconfigure the endpoint security solutions. We are going to look at these types of configurations in the following sections, starting with an application approved list
Application Approved List
We can use application whitelisting where the approved applications are listed. This means that if an application is not listed, it cannot be launched. Some devices such as pf-sense have Allowed Lists. For the purposes of the Security+ exam, if we want to prevent users from installing applications or prevent malware from installing, we will create a whitelist. Neither the unauthorized applications nor the malware will be on the whitelist, therefore they will be prevented from being installed.
Application Block List/Deny List
We can blacklist applications that are deemed dangerous, such as Kali Linux. If it is on the blacklist, it is totally banned and cannot be placed on the whitelist. Some devices such as pf-sense firewall have Block Lists. We need the name of an application to blacklist it.
Quarantine
If we find a device has been infected with a virus, we can remove it from the network by quarantining it. We can also use Network Access Control (NAC) so that devices that are not patched or are vulnerable are placed in a quarantine network where a remediation server applies patches to the system before it is allowed back on to the network. With NAC, the user is authenticated, then the device is checked to ensure that it is fully patched.
Configuration Changes
As new attacks emerge and new technologies are implemented, we may have to make some configuration changes to secure our environment. It is important that we take a robust approach to configuration management in the following aspects
Firewall Rules
Firewalls can be used to block traffic and we can use either an MDM solution or group policy to change the configuration on endpoint devices.
Mobile Device Management (MDM)
An MDM solution can be used to push configuration changes to mobile devices. The password policy may change, or we might remove the ability to use the camera on mobile phones. The MDM solution will push out the new configuration changes.
Data Loss Prevention (DLP)
There may be a security risk of credit card information leaving the company or data that has a pattern match has been exfiltrated. We may use a regular expression to ensure that this data does not leave via email. Good examples of data that DLP prevents leaving our environment are PII and sensitive information.
Content Filter/URL Filter
We might update the content filters on either a proxy server or a Unified Threat Management (UTM) firewall due to security events. The content filter blocks the target website; for example, a gambling website and the URL filter prevents the endpoints from visiting a website that has been subject to an attack.
Update or Revoke Certificates
If the endpoints have reported a host or trust error, this means that we have a certificate problem. We may need to update the certificate because it has expired or revoke the certificate because it has been compromised. If the certificate is not installed on the Trusted Root Certification Authorities, it will also generate a host or trust error.
Isolation
We may have to air gap research and development endpoints to isolate them from the network to protect them against a network-based attack. They have no wireless, Bluetooth, or ethernet connection. The only way to add or extract data from an air gapped computer is by using a removable device such as a USB drive.
Containment
If the security team finds that an endpoint has been compromised and may be infected by a virus, they will contain it so as to stop the malware spreading. Examples of containment are removing infected machines from the network or disabling user accounts that have been used to breach your network.
Segmentation
We can use containerization in a BYOD environment, where we add a storage card to keep personal and business data separate on a mobile device. It will also protect the business data against remote wiping the device, as only the mobile device will be reset and not the storage cards. This is also known as storage segmentation. We may have to segment devices that have become vulnerable, such as an unpatched printer where there are no updates. We could place these printers in a VLAN.
Security Orchestration, Automation, and Response (SOAR)
Orchestrations are the process of running multiple automations to perform complex tasks. Automations are the process of scripting a single activity. These systems are used to identify threats from multiple sources by using playbooks and runbooks.
Runbooks
These are documents with information on events and the necessary action that needs to be taken so that the human IT teams can take actions to stop threats. This information can be used to configure the playbook.